2025-12-09 17:51:05 +00:00
---
2026-01-21 17:45:12 +00:00
summary: "Runbook for the Gateway service, lifecycle, and operations"
2025-12-09 17:51:05 +00:00
read_when:
- Running or debugging the gateway process
2026-01-31 16:04:03 -05:00
title: "Gateway Runbook"
2025-12-09 17:51:05 +00:00
---
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
# Gateway runbook
2025-12-09 14:41:41 +01:00
2026-02-11 10:44:34 -05:00
Use this page for day-1 startup and day-2 operations of the Gateway service.
2025-12-09 14:41:41 +01:00
2026-02-11 10:44:34 -05:00
<CardGroup cols={2}>
<Card title="Deep troubleshooting" icon="siren" href="/gateway/troubleshooting">
Symptom-first diagnostics with exact command ladders and log signatures.
</Card>
<Card title="Configuration" icon="sliders" href="/gateway/configuration">
Task-oriented setup guide + full configuration reference.
</Card>
2026-02-24 16:26:51 -06:00
<Card title="Secrets management" icon="key-round" href="/gateway/secrets">
SecretRef contract, runtime snapshot behavior, and migrate/reload operations.
</Card>
2026-02-26 14:32:04 +01:00
<Card title="Secrets plan contract" icon="shield-check" href="/gateway/secrets-plan-contract">
Exact `secrets apply` target/path rules and ref-only auth-profile behavior.
</Card>
2026-02-11 10:44:34 -05:00
</CardGroup>
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
## 5-minute local startup
2025-12-09 14:41:41 +01:00
2026-02-11 10:44:34 -05:00
<Steps>
<Step title="Start the Gateway">
2026-01-31 21:13:13 +09:00
2025-12-09 14:41:41 +01:00
``` bash
2026-01-30 03:15:10 +01:00
openclaw gateway --port 18789
2026-02-11 10:44:34 -05:00
# debug/trace mirrored to stdio
2026-01-30 03:15:10 +01:00
openclaw gateway --port 18789 --verbose
2026-02-11 10:44:34 -05:00
# force-kill listener on selected port, then start
2026-01-30 03:15:10 +01:00
openclaw gateway --force
2025-12-09 14:41:41 +01:00
```
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
</Step>
2025-12-09 14:41:41 +01:00
2026-02-11 10:44:34 -05:00
<Step title="Verify service health">
``` bash
openclaw gateway status
openclaw status
openclaw logs --follow
```
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
Healthy baseline: `Runtime: running` and `RPC probe: ok` .
2026-02-06 10:08:59 -05:00
2026-02-11 10:44:34 -05:00
</Step>
2026-02-06 10:08:59 -05:00
2026-02-11 10:44:34 -05:00
<Step title="Validate channel readiness">
2025-12-09 14:41:41 +01:00
2026-02-11 10:44:34 -05:00
``` bash
openclaw channels status --probe
```
2026-01-03 11:46:58 +01:00
2026-04-04 18:52:01 +01:00
With a reachable gateway this runs live per-account channel probes and optional audits.
If the gateway is unreachable, the CLI falls back to config-only channel summaries instead
of live probe output.
2026-02-11 10:44:34 -05:00
</Step>
</Steps>
2026-01-13 05:58:46 +00:00
2026-02-11 10:44:34 -05:00
<Note>
Gateway config reload watches the active config file path (resolved from profile/state defaults, or `OPENCLAW_CONFIG_PATH` when set).
Default mode is `gateway.reload.mode="hybrid"` .
2026-03-29 22:56:35 +01:00
After the first successful load, the running process serves the active in-memory config snapshot; successful reload swaps that snapshot atomically.
2026-02-11 10:44:34 -05:00
</Note>
2026-01-03 11:46:58 +01:00
2026-02-11 10:44:34 -05:00
## Runtime model
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
- One always-on process for routing, control plane, and channel connections.
- Single multiplexed port for:
- WebSocket control/RPC
2026-03-24 16:53:51 -07:00
- HTTP APIs, OpenAI compatible (`/v1/models` , `/v1/embeddings` , `/v1/chat/completions` , `/v1/responses` , `/tools/invoke` )
2026-02-11 10:44:34 -05:00
- Control UI and hooks
- Default bind mode: `loopback` .
2026-04-04 14:12:23 +01:00
- Auth is required by default. Shared-secret setups use
`gateway.auth.token` / `gateway.auth.password` (or
`OPENCLAW_GATEWAY_TOKEN` / `OPENCLAW_GATEWAY_PASSWORD` ), and non-loopback
reverse-proxy setups can use `gateway.auth.mode: "trusted-proxy"` .
2026-01-11 02:17:10 +01:00
2026-03-24 16:53:51 -07:00
## OpenAI-compatible endpoints
OpenClaw’ s highest-leverage compatibility surface is now:
- `GET /v1/models`
- `GET /v1/models/{id}`
- `POST /v1/embeddings`
- `POST /v1/chat/completions`
- `POST /v1/responses`
Why this set matters:
- Most Open WebUI, LobeChat, and LibreChat integrations probe `/v1/models` first.
- Many RAG and memory pipelines expect `/v1/embeddings` .
- Agent-native clients increasingly prefer `/v1/responses` .
Planning note:
2026-03-24 18:02:57 -07:00
- `/v1/models` is agent-first: it returns `openclaw` , `openclaw/default` , and `openclaw/<agentId>` .
- `openclaw/default` is the stable alias that always maps to the configured default agent.
- Use `x-openclaw-model` when you want a backend provider/model override; otherwise the selected agent's normal model and embedding setup stays in control.
2026-03-24 16:53:51 -07:00
All of these run on the main Gateway port and use the same trusted operator auth boundary as the rest of the Gateway HTTP API.
2026-02-11 10:44:34 -05:00
### Port and bind precedence
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
| Setting | Resolution order |
| ------------ | ------------------------------------------------------------- |
| Gateway port | `--port` → `OPENCLAW_GATEWAY_PORT` → `gateway.port` → `18789` |
| Bind mode | CLI/override → `gateway.bind` → `loopback` |
2026-01-11 02:17:10 +01:00
2026-02-11 10:44:34 -05:00
### Hot reload modes
2026-01-15 18:08:20 +01:00
2026-02-11 10:44:34 -05:00
| `gateway.reload.mode` | Behavior |
| --------------------- | ------------------------------------------ |
| `off` | No config reload |
| `hot` | Apply only hot-safe changes |
| `restart` | Restart on reload-required changes |
| `hybrid` (default) | Hot-apply when safe, restart when required |
2026-01-05 01:25:42 +01:00
2026-02-11 10:44:34 -05:00
## Operator command set
2026-01-05 01:25:42 +01:00
``` bash
2026-02-11 10:44:34 -05:00
openclaw gateway status
2026-04-04 19:06:30 +01:00
openclaw gateway status --deep # adds a system-level service scan
2026-02-11 10:44:34 -05:00
openclaw gateway status --json
openclaw gateway install
openclaw gateway restart
openclaw gateway stop
2026-02-24 16:26:51 -06:00
openclaw secrets reload
2026-02-11 10:44:34 -05:00
openclaw logs --follow
openclaw doctor
2026-01-05 01:25:42 +01:00
```
2026-04-04 19:06:30 +01:00
`gateway status --deep` is for extra service discovery (LaunchDaemons/systemd system
units/schtasks), not a deeper RPC health probe.
2026-04-04 19:10:31 +01:00
## Multiple gateways (same host)
Most installs should run one gateway per machine. A single gateway can host multiple
agents and channels.
You only need multiple gateways when you intentionally want isolation or a rescue bot.
Useful checks:
``` bash
openclaw gateway status --deep
openclaw gateway probe
```
What to expect:
- `gateway status --deep` can report `Other gateway-like services detected (best effort)`
and print cleanup hints when stale launchd/systemd/schtasks installs are still around.
- `gateway probe` can warn about `multiple reachable gateways` when more than one target
answers.
- If that is intentional, isolate ports, config/state, and workspace roots per gateway.
Detailed setup: [/gateway/multiple-gateways ](/gateway/multiple-gateways ).
2026-02-11 10:44:34 -05:00
## Remote access
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
Preferred: Tailscale/VPN.
Fallback: SSH tunnel.
2026-01-05 01:25:42 +01:00
2026-02-11 10:44:34 -05:00
``` bash
ssh -N -L 18789:127.0.0.1:18789 user@host
```
2026-01-31 21:13:13 +09:00
2026-04-06 22:37:35 +08:00
Then connect clients locally to `ws://127.0.0.1:18789` .
2026-01-05 02:03:10 +01:00
2026-02-11 10:44:34 -05:00
<Warning>
2026-04-04 14:12:23 +01:00
SSH tunnels do not bypass gateway auth. For shared-secret auth, clients still
must send `token` /`password` even over the tunnel. For identity-bearing modes,
the request still has to satisfy that auth path.
2026-02-11 10:44:34 -05:00
</Warning>
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
See: [Remote Gateway ](/gateway/remote ), [Authentication ](/gateway/authentication ), [Tailscale ](/gateway/tailscale ).
2026-01-03 11:46:58 +01:00
2026-02-11 10:44:34 -05:00
## Supervision and service lifecycle
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
Use supervised runs for production-like reliability.
2026-01-13 05:58:46 +00:00
2026-02-11 10:44:34 -05:00
<Tabs>
<Tab title="macOS (launchd)">
2026-01-31 21:13:13 +09:00
2026-01-03 11:46:58 +01:00
``` bash
2026-02-11 10:44:34 -05:00
openclaw gateway install
openclaw gateway status
openclaw gateway restart
openclaw gateway stop
2026-01-03 11:46:58 +01:00
```
2026-02-11 10:44:34 -05:00
LaunchAgent labels are `ai.openclaw.gateway` (default) or `ai.openclaw.<profile>` (named profile). `openclaw doctor` audits and repairs service config drift.
2025-12-09 14:41:41 +01:00
2026-02-11 10:44:34 -05:00
</Tab>
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
<Tab title="Linux (systemd user)">
2025-12-09 14:41:41 +01:00
2026-02-11 10:44:34 -05:00
``` bash
openclaw gateway install
systemctl --user enable --now openclaw-gateway[ -<profile>] .service
openclaw gateway status
```
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
For persistence after logout, enable lingering:
2025-12-09 14:41:41 +01:00
2026-02-11 10:44:34 -05:00
``` bash
sudo loginctl enable-linger <user>
2026-04-04 10:32:33 +01:00
```
Manual user-unit example when you need a custom install path:
``` ini
[Unit]
Description = OpenClaw Gateway
After = network-online.target
Wants = network-online.target
[Service]
ExecStart = /usr/local/bin/openclaw gateway --port 18789
Restart = always
RestartSec = 5
TimeoutStopSec = 30
TimeoutStartSec = 30
SuccessExitStatus = 0 143
KillMode = control-group
[Install]
WantedBy = default.target
2026-02-11 10:44:34 -05:00
```
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
</Tab>
2025-12-09 14:41:41 +01:00
2026-04-04 10:49:13 +01:00
<Tab title="Windows (native)">
``` powershell
openclaw gateway install
openclaw gateway status - -json
openclaw gateway restart
openclaw gateway stop
```
Native Windows managed startup uses a Scheduled Task named `OpenClaw Gateway`
(or `OpenClaw Gateway (<profile>)` for named profiles). If Scheduled Task
creation is denied, OpenClaw falls back to a per-user Startup-folder launcher
that points at `gateway.cmd` inside the state directory.
</Tab>
2026-02-11 10:44:34 -05:00
<Tab title="Linux (system service)">
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
Use a system unit for multi-user/always-on hosts.
2025-12-09 14:41:41 +01:00
2026-02-11 10:44:34 -05:00
``` bash
sudo systemctl daemon-reload
sudo systemctl enable --now openclaw-gateway[ -<profile>] .service
```
2026-01-31 21:13:13 +09:00
2026-04-04 10:32:33 +01:00
Use the same service body as the user unit, but install it under
`/etc/systemd/system/openclaw-gateway[-<profile>].service` and adjust
`ExecStart=` if your `openclaw` binary lives elsewhere.
2026-02-11 10:44:34 -05:00
</Tab>
</Tabs>
2025-12-09 14:41:41 +01:00
2026-02-11 10:44:34 -05:00
## Multiple gateways on one host
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
Most setups should run **one ** Gateway.
Use multiple only for strict isolation/redundancy (for example a rescue profile).
2025-12-09 14:41:41 +01:00
2026-02-11 10:44:34 -05:00
Checklist per instance:
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
- Unique `gateway.port`
- Unique `OPENCLAW_CONFIG_PATH`
- Unique `OPENCLAW_STATE_DIR`
- Unique `agents.defaults.workspace`
2025-12-09 14:41:41 +01:00
2026-02-11 10:44:34 -05:00
Example:
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
``` bash
OPENCLAW_CONFIG_PATH = ~/.openclaw/a.json OPENCLAW_STATE_DIR = ~/.openclaw-a openclaw gateway --port 19001
OPENCLAW_CONFIG_PATH = ~/.openclaw/b.json OPENCLAW_STATE_DIR = ~/.openclaw-b openclaw gateway --port 19002
```
2025-12-09 14:41:41 +01:00
2026-02-11 10:44:34 -05:00
See: [Multiple gateways ](/gateway/multiple-gateways ).
2026-01-07 21:37:05 +01:00
2026-02-11 10:44:34 -05:00
### Dev profile quick path
2026-01-07 21:37:05 +01:00
``` bash
2026-02-11 10:44:34 -05:00
openclaw --dev setup
openclaw --dev gateway --allow-unconfigured
openclaw --dev status
2026-01-07 21:37:05 +01:00
```
2026-02-11 10:44:34 -05:00
Defaults include isolated state/config and base gateway port `19001` .
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
## Protocol quick reference (operator view)
2026-01-07 21:37:05 +01:00
2026-02-11 10:44:34 -05:00
- First client frame must be `connect` .
- Gateway returns `hello-ok` snapshot (`presence` , `health` , `stateVersion` , `uptimeMs` , limits/policy).
2026-04-04 21:17:54 +01:00
- `hello-ok.features.methods` / `events` are a conservative discovery list, not
a generated dump of every callable helper route.
2026-02-11 10:44:34 -05:00
- Requests: `req(method, params)` → `res(ok/payload|error)` .
2026-04-04 21:25:40 +01:00
- Common events include `connect.challenge` , `agent` , `chat` ,
`session.message` , `session.tool` , `sessions.changed` , `presence` , `tick` ,
`health` , `heartbeat` , pairing/approval lifecycle events, and `shutdown` .
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
Agent runs are two-stage:
2025-12-19 19:20:57 +01:00
2026-02-11 10:44:34 -05:00
1. Immediate accepted ack (`status:"accepted"` )
2. Final completion response (`status:"ok"|"error"` ), with streamed `agent` events in between.
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
See full protocol docs: [Gateway Protocol ](/gateway/protocol ).
2026-01-08 21:28:40 +01:00
2026-02-11 10:44:34 -05:00
## Operational checks
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
### Liveness
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
- Open WS and send `connect` .
- Expect `hello-ok` response with snapshot.
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
### Readiness
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
``` bash
openclaw gateway status
openclaw channels status --probe
openclaw health
2026-01-05 18:38:30 +01:00
```
2026-02-11 10:44:34 -05:00
### Gap recovery
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
Events are not replayed. On sequence gaps, refresh state (`health` , `system-presence` ) before continuing.
2026-01-05 20:33:34 +01:00
2026-02-11 10:44:34 -05:00
## Common failure signatures
2026-01-07 01:21:36 +01:00
2026-04-03 20:00:20 +09:00
| Signature | Likely issue |
| -------------------------------------------------------------- | ------------------------------------------------------------------------------- |
2026-04-04 13:54:15 +01:00
| `refusing to bind gateway ... without auth` | Non-loopback bind without a valid gateway auth path |
2026-04-03 20:00:20 +09:00
| `another gateway instance is already listening` / `EADDRINUSE` | Port conflict |
| `Gateway start blocked: set gateway.mode=local` | Config set to remote mode, or local-mode stamp is missing from a damaged config |
| `unauthorized` during connect | Auth mismatch between client and gateway |
2025-12-09 14:41:41 +01:00
2026-02-11 10:44:34 -05:00
For full diagnosis ladders, use [Gateway Troubleshooting ](/gateway/troubleshooting ).
2025-12-09 14:41:41 +01:00
## Safety guarantees
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
- Gateway protocol clients fail fast when Gateway is unavailable (no implicit direct-channel fallback).
- Invalid/non-connect first frames are rejected and closed.
- Graceful shutdown emits `shutdown` event before socket close.
2025-12-09 14:41:41 +01:00
2026-02-11 10:44:34 -05:00
---
2025-12-09 14:41:41 +01:00
2026-02-11 10:44:34 -05:00
Related:
2026-01-31 21:13:13 +09:00
2026-02-11 10:44:34 -05:00
- [Troubleshooting ](/gateway/troubleshooting )
- [Background Process ](/gateway/background-process )
- [Configuration ](/gateway/configuration )
- [Health ](/gateway/health )
- [Doctor ](/gateway/doctor )
- [Authentication ](/gateway/authentication )